0

I'm working on a website using PHP, jQuery, CSS, Bootstrap (standard suite) and i'd like to implement standard Google 2FA. Now, I know how 2FA usually works - client gets secret code, he enters that into his mobile app and every X seconds he gets correct key to authenticate on the server. In my case, beside usual server-side "entered code checking", I would also like to implement, on my website, "client part" of the system as well!

I short, i want my website to show correct "XXX XXX" number that my website would accept. I know it's counter-intuitive but i need to have on my website both 2FA "entered code checker" and also to show correct number that would be accepted by my server.

Is that possible? I found some examples how to implement server-side part of the story (this url) but how can my webpage pull correct code from Google using provided secret?

EDIT: Is Google 2FA safe to be used as Random Number Generator? My idea is to use such system as "user-verifiable RNG"

guest86
  • 2,894
  • 8
  • 49
  • 72
  • You should not do this. It would defeat the purpose of 2FA. – ceejayoz Jul 18 '21 at 23:48
  • basically, you'll want to implement TOTP - and no, 2FA is not at all a good RNG – Bravo Jul 18 '21 at 23:48
  • 2
    "EDIT: Is Google 2FA safe to be used as Random Number Generator?" No. They are, by definition, *not* random; they are predictable if you have the key. That's the point of them. – ceejayoz Jul 18 '21 at 23:48
  • Oh, ok. I'm reading something more about TOTP and HOTP and i can tell it's not a random number sent by Google based on secret key (as i expected), theres more to it :( – guest86 Jul 18 '21 at 23:54

0 Answers0